[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing SSH: Does disabling password authentication work?

On Monday 03 October 2005 02:39 pm, Steve Block wrote:
> On Mon, Oct 03, 2005 at 01:24:27PM -0700, Alvin Oga wrote:
> >On Mon, 3 Oct 2005, Steve Block wrote:
> >> I'm afraid you didn't read at all, did you? Start from the top of the
> >> thread and read again, and you'll see that my question had nothing to do
> >
> >u sure do have an whacky attitude for being the one that is cracked
> >
> >the answer still is no...  you are not any more secure
> >for the sme identical reasons posted previously that you didnt
> >read/understand to use your own words :-)
> Who said anyone was cracked? I'm trying to take a proactive security
> approach here.
> Let me clarify. In a default debian/sarge install there are three
> available SSH authentication options:
> 1) password
> 2) keyboard-interactive with pam (would allow auth against LDAP or any
> other authentication method possible with pam)
> 3) public/private keys
> According to what I can see from my logs, these automated attempts are
> trying to use the first method to log in. The second method is what the
> standard OpenSSH client uses by default when no keys are being used, and
> the log report for a failed login of this type is different than for the
> automated attempts. I prefer to use the third method myself, but like I
> said I am unwilling to only allow that method.
> I edited my ssh config file to disable the first method, leaving only 2)
> and 3) available. With the second method a user can still log in with
> their system password (default pam configuration) but the authentication
> is handled by pam and not the ssh server itself (I think). My users
> obviously haven't noticed, and I still normally use keys. I just want to
> know if it has made it impossible for the automated dictionary attacks
> to log in (the current generation, anyways).
> Sorry if I sounded snippy, it's just hard to find any solid info on
> this.
> --
> Steve Block
> http://ev-15.com/
> http://steveblock.com/
> scblock@ev-15.com


You may want to take a look at the debian package harden-doc.  They have a 
section about securing ssh as well as a wealth of information about securing 
your system.  This is no means exhaustive, but it will help.


Reply to: